Your Security Report

How to interpret your results

After your scan completes, you get a security report with every finding and its severity. Here's how to read it and what to do with it.

Understanding severity levels

Critical
Fix immediately — before your next user session

A Critical finding means sensitive data is actively exposed or your app is trivially compromised right now. An attacker could exploit this with a one-line script. Stop and fix this before anything else.

Example: Exposed API key or secret in page source; app served over HTTP without HTTPS.
High
Fix this week

A High finding means your app has a serious misconfiguration that an attacker can realistically exploit. It requires them to craft a specific attack, but the barrier is low. Fix this before you grow your user base.

Example: Wildcard CORS policy (Access-Control-Allow-Origin: *).
Medium
Fix in your next deployment

A Medium finding means your app is missing defenses that would mitigate common attack types. On their own they're not immediately exploitable, but they amplify the impact of other vulnerabilities. Fix them in your next planned deployment.

Example: Missing security headers (X-Frame-Options, CSP, HSTS).
Low
Address when convenient

A Low finding is a hardening recommendation or an informational issue. It's worth fixing, but it's unlikely to result in a breach on its own. Address these when you have time.

Example: Missing X-Content-Type-Options; sensitive paths in robots.txt.

What to do with your results

1
Start with Critical findings

If you have any Critical findings — especially exposed API keys or no HTTPS — stop everything and fix those first. They represent active exposure, not theoretical risk.

2
Fix High issues before growing

High findings like wildcard CORS become more dangerous as you grow. An app with 10 users is less attractive than one with 1,000. Fix these before scaling.

3
Batch Medium issues into your next deploy

Security headers are a one-time fix — add a vercel.json or next.config.js headers block and all Medium header findings disappear in a single deployment.

4
Re-scan after fixing

After you fix issues and redeploy, run VibeScan again to confirm the fixes are live. VibeScan checks what's actually served, not what's in your code.

What a clean report means

A VibeScan with all green checks means your app's publicly visible surface is well-configured. You have HTTPS, security headers, a locked CORS policy, and no exposed secrets in your page source.

It does not mean your app is perfectly secure — VibeScan can only see what an outside observer can see. Authentication logic, database access controls, and server-side configuration require code review. A clean VibeScan score means you've handled the most common and most easily exploitable issues.

Was this helpful?
← What We CheckNext: Integrations →